Identifier-based signcryption with two trusted authorities

ABSTRACT

Identifier-based signcryption methods and apparatus are disclosed both for signing and encrypting data, and for decrypting and verifying data. The signcryption methods use computable bilinear mappings and can be based, for example, on Weil or Tate pairings. A message sender associated with a first trusted authority carries out integrated signing/encryption processes to send a signed, encrypted message to an intended recipient associated with a second trusted authority. The recipient then carries out integrated decryption/verification processes to recover the original message and verify its origin.

CROSS-REFERENCE TO RELATED APPLICATIONS

The subject matter of the present application may also be related to the following U.S. Patent Application: “Identifier-Based Signcryption,” Ser. No. 10/977,342, filed Oct. 29, 2004.

FIELD OF THE INVENTION

The present invention relates to methods and apparatus for implementing an identifier-based signcryption cryptographic scheme with two trusted authorities. A “signcryption” scheme is one that combines both data encryption and signature to obtain private and authenticated communications.

BACKGROUND OF THE INVENTION

As is well known to persons skilled in the art, in “identifier-based” cryptographic (IBC) methods a public, cryptographically unconstrained, string is used in conjunction with a public key of a trusted authority to carry out tasks such as data encryption and signing. The complementary tasks, such as decryption and signature verification, require the involvement of the trusted authority to carry out a computation based on the public string and a private key that is related to its public data. In message-signing applications and frequently also in message encryption applications, the string serves to “identify” a party (the sender in signing applications, the intended recipient in encryption applications); this has given rise to the use of the label “identifier-based” or “identity-based” generally for these cryptographic methods. However, at least in certain encryption applications, the string may serve a different purpose to that of identifying the intended recipient and, indeed, may be an arbitrary string having no other purpose than to form the basis of the cryptographic processes. Accordingly, the use of the term “identity-based” or “identifier-based” herein in relation to cryptographic methods and systems is to be understood simply as implying that the methods and systems are based on the use of a cryptographically unconstrained string whether or not the string serves to identify the intended recipient. Furthermore, as used herein the term “string” is simply intended to imply an ordered series of bits whether derived from a character string, a serialized image bit map, a digitized sound signal, or any other data source.

The current most practical approach to building identifier-based cryptosystems uses bilinear pairings. A brief overview of pairings-based cryptography will next be given. In the present specification, G₁ and G₂ denote two algebraic groups of large prime order l in which the discrete logarithm problem is believed to be hard and for which there exists a non-degenerate computable bilinear map p, for example, a Tate pairing or Weil pairing. Note that G₁ is a [l]-torsion subgroup of a larger algebraic group G₀ and satisfies [l]P=O for all PεG₁ where O is the identity element, l is a large prime, and l*cofactor=number of elements in G₀. The group G₂ is a subgroup of a multiplicative group of a finite field.

For the Weil pairing: the bilinear map p is expressed as p: G ₁ ×G ₁ →G ₂.

The Tate pairing can be similarly expressed though it is possible for it to be of asymmetric form: p: G ₁ ×G ₀ →G ₂

Generally, the elements of the groups G₀ and G₁ are points on an elliptic curve (typically, though not necessarily, a supersingular elliptic curve); however, this is not necessarily the case.

For convenience, the examples given below assume the use of a symmetric bilinear map (p: G₁×G₁→G₂) with the elements of G₁ being points on an elliptic curve; however, these particularities, are not to be taken as limitations on the scope of the present invention.

As is well known to persons skilled in the art, for cryptographic purposes, modified forms of the Weil and Tate pairings are used that ensure p(P,P)≠1 where PεG₁; however, for convenience, the pairings are referred to below simply by their usual names without labeling them as modified.

As the mapping between G₁ and G₂ is bilinear, exponents/multipliers can be moved around. For example if a, b, cεZ (where Z is the set of all integers) and P, QεG₁ then

$\begin{matrix} {{p\mspace{11mu}\left( {{aP},{bQ}} \right)^{c}} = {{p\mspace{11mu}\left( {{aP},{cQ}} \right)^{b}} = {{p\mspace{11mu}\left( {{bP},{cQ}} \right)^{a}} = {p\mspace{11mu}\left( {{bP},{aQ}} \right)^{c}}}}} \\ {= {{p\mspace{11mu}\left( {{cP},{aQ}} \right)^{b}} = {{p\mspace{11mu}\left( {{cP},{bQ}} \right)^{a}} = {p\mspace{11mu}\left( {{abP},Q} \right)^{c}}}}} \\ {= {{p\mspace{11mu}\left( {{abP},{cQ}} \right)} = {{p\mspace{11mu}\left( {P,{abQ}} \right)^{c}} = {{p\mspace{11mu}\left( {{cP},{abQ}} \right)} = \ldots}}}} \\ {= {{p\mspace{11mu}\left( {{abcP},Q} \right)} = {{p\mspace{11mu}\left( {P,{abcQ}} \right)} = {p\mspace{11mu}\left( {P,Q} \right)^{abc}}}}} \end{matrix}$

A normal public/private key pair can be defined for a trusted authority:

-   -   the private key is s         -   where sεZ_(l) and     -   the public key is (P, R)         -   where P and R are respectively master and derived public             elements with PεG₁ and RεG₁, P and R being related by R=sP

With the cooperation of the trusted authority, an identifier-based public key/private key pair <Q_(ID), S_(ID)> can be defined for a party with identity string ID where: Q _(ID) ,S _(ID) εG ₁. S _(ID) =sQ _(ID) Q _(ID) =H ₁(ID) H ₁ is a hash: {0,1}*→G ₁

Further background regarding Weil and Tate pairings and their cryptographic uses (such as for encryption and signing) can be found in the following references:

-   -   G. Frey, M. Müller, and H. Rück. The Tate pairing and the         discrete logarithm applied to elliptic curve cryptosystems. IEEE         Transactions on Information Theory, 45(5):1717-1719, 1999.     -   D. Boneh and M. Franklin. Identity based encryption from the         Weil pairing. In Advances in Cryptology—CRYPTO 2001, LNCS 2139,         pp. 213-229, Springer-Verlag, 2001.

With regard to the latter reference, it may be noted that this reference describes both a fully secure encryption scheme using the Weil pairing and, as an aid to understanding this fully-secure scheme, a simpler scheme referred to as “BasicIdent” which is acknowledged not to be secure against a chosen ciphertext attack.

As already mentioned above, the present invention is concerned with signcryption cryptographic schemes. A “signcryption” primitive was proposed by Zheng in 1997 in the paper: “Digital Signcryption or How to Achieve Cost(Signature & Encryption)<<Cost(Signature)+Cost(Encryption).” Y. Zheng, in Advances in Cryptology—CRYPTO '97, volume 1294 of Lecture Notes in Computer Science, pages 165-179, Springer-Verlag, 1997. This paper also proposed a discrete logarithm based scheme.

Identity-based signcryption is signcryption that uses identity-based cryptographic algorithms. A number of identity-based signcryption schemes have been proposed such as described in the paper “Multipurpose Identity-Based Signcryption: A Swiss Army Knife for Identity-Based Cryptography” X. Boyen, in Advances in Cryptology—CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 382-398, Springer-Verlag, 2003. This paper also proposes a security model for identity-based signcryption that is based on six algorithms SETUP, EXTRACT, ENCRYPT, DECRYPT and VERIFY. For convenience of describing the prior art and the preferred embodiments of the invention, a similar set of six algorithms is used herein and the functions of each of these algorithms will now be described with reference to FIG. 1 of the accompanying drawings; it should, however, be understood that the present invention is not intended to be limited to implementations using such a set of six algorithms.

In FIG. 1 the algorithms SETUP 20 and EXTRACT 21 are associated with a trusted authority, the algorithms SIGN 22 and ENCRYPT 23 with a party A, and the algorithms DECRYPT 24 and VERIFY 25 with a party B. The functions of these algorithms are as follows:

-   -   SETUP—On input of a security parameter k this algorithm produces         a pair <params, s> where “params” are the global public         parameters for the system and s is the master secret key. The         public parameters “params” include a global public key R, a         description of a finite message space M, a description of a         finite signature space S, and a description of a finite         ciphertext space C. It is assumed below that “params” are         publicly known and are therefore not explicitly provided as         input to the other algorithms.     -   EXTRACT—On input of an identity ID_(U) and the master secret key         s, this algorithm computes a secret key S_(U) corresponding to         ID_(U).     -   SIGN—On input of <m, S_(A)>, this algorithm produces a signature         σ on m under ID_(A) and some ephemeral state data r.     -   ENCRYPT—On input of <S_(A), ID_(B), m, σ, r>, this algorithm         produces a ciphertext c. This is the encryption under ID_(B)'s         public key of m and of ID_(A)'s signature on m.     -   DECRYPT—on input of <c′, S_(B)>, this algorithm produces (m′,         ID_(A)′, σ′) where m′ is a message and σ′ is a purported         signature on m′ of party with identity ID_(A)′.     -   VERIFY—On input of <m′, ID_(A)′, σ′>, this algorithm outputs         True if σ is the signature of the party represented by ID_(A) on         m, and it outputs False otherwise.

The marking of a quantity with ′ (as in m′) is to indicate that its equivalence to the unmarked quantity has to be tested.

The above individual algorithms 20 to 25 have the following consistency requirement. If: (m,σ,r)←SIGN(m,S _(A)) c←ENCRYPT(S _(A) ,ID _(B) ,m,σ,r) (m′,ID _(A)′,σ′)←DECRYPT(c,S _(B))

Then the following must hold: ID _(A) ′=ID _(A) m′=m True←VERIFY(m′,ID _(A)′,σ′)

It should be noted that other ways of modelling identity-based signcryption exist; for example, the signing and encryption algorithms may be treated as a single signcryption algorithm as are the decryption and verification algorithms. However, the above-described model will be used in the present specification.

The implementation of a signcryption scheme using the above six algorithms is straight-forward:

-   -   a trusted authority first executes SETUP;     -   the trusted authority executes EXTRACT to provide party A with         the latter's secret key S_(A);     -   party A executes SIGN to form a signature σ on a message m, and         ENCRYPT to encrypt the message m together with the signature;     -   the trusted authority executes EXTRACT to provide party B with         the latter's secret key S_(B);     -   party B executes DECRYPT to recover m′, σ′ and a sender         identity, and then VERIFY to verify the signature.

It will be appreciated that the execution of EXTRACT to provide S_(B) can be carried out at any time before DECRYPT is run.

The specific identity-based signcryption scheme described in the above-referenced paper by Boyen is based on bilinear pairings with the algorithms being implemented as follows:

Setup

-   -   Establish public parameters G₁, G₂, l, q and the following         cryptographic hash functions:         H ₁: {0,1}^(k) ¹ →G ₁         H ₂: {0,1}^(k) ⁰ ^(+n) →Z _(l)*         H ₃ : G ₂→{0,1}^(k) ⁰         H ₄ : G ₂ →Z _(l)*         H ₅ : G ₁→{0,1}^(k) ¹ ^(+n)         -   where:             -   k₀ is the number of bits required to represent an                 element of G₁;             -   k₁ is the number of bits required to represent an                 identity; and             -   n is the number of bits of a message to be signed and                 encrypted.     -   Choose P such that <P>=G₁ that is, P is a generator for the         cyclic group G₁.     -   Choose s uniformly at random from Z_(l)*.     -   Compute the global public key R←sP.         Extract

To extract the private key for user U with ID_(U)ε{0,1}^(k) ¹ :

-   -   compute the public key Q_(U)←H₁(ID_(U))     -   compute the secret key S_(U)←sQ_(U)         Sign

For user A with identity ID_(A) to sign a message mε{0,1}^(n) with private key S_(A) corresponding to public key Q_(A)←H₁(ID_(A)):

-   -   choose r uniformly at random from Z_(l)* and compute:         X←rQ _(A)     -   compute:         h←H ₂(X∥m)         -   where ∥ indicates concatenation             J←(r+h)S _(A)     -   return r and the signature σ=<X, J>.         Encrypt

For user A with identity ID_(A) to encrypt message m, using r and σ output by SIGN, for user B with identity ID_(B):

-   -   compute:         Q _(B) ←H ₁(ID _(B))         w←p(S _(A) ,Q _(B))         t←H ₄(w)         Y←tX         u←w ^(tr)     -   compute:         f=H ₃(u)⊕J         v=H ₅(J)⊕(ID _(A) ∥m)     -   return the ciphertext c: <Y, f, v>.         Decrypt

For user B with identity ID_(B) to decrypt ciphertext c′: <Y′, f′, v′> using S_(B)←H₁(ID_(B)):

-   -   compute:         u′←p(Y′,S _(B))         J′←f′⊕H ₃(u′)     -   compute:         H ₅(J′)⊕v′     -   to recover string: ID_(A)′∥m′     -   compute:         Q _(A) ′←H ₁(ID _(A)′)         w′←p(Q _(A) ′,S _(B))         t′←H ₄(w′)         X′←(t′)⁻¹ Y     -   return the message m′, the signature σ′=<X′, J′>, and the         identity ID_(A)′ of the purported sender.         Verify

To verify that the signature σ′ on message m′ is that of user A where A has identity ID_(A):

-   -   compute:         h′←H ₂(X′∥m′)     -   check whether:         p(J′,P)=p(R,X′+h′Q _(A)′)     -   and, if so, return True, else return False.

The foregoing signature algorithm SIGN is based on an efficient signature scheme proposed in the paper “An Identity-Based Signature from Gap Diffie-Hellman Groups” J. C. Cha and J. H. Cheon, in Public Key Cryptography—PKC 2003, volume 2567 of Lecture Notes in Computer Science, pages 18-30, Springer-Verlag, 2003.

Our co-pending U.S. patent application Ser. No. 10/977,342 filed Oct. 29, 2004 discloses an identity-based signcryption scheme that uses bilinear maps and provides improved efficiency. However, the signcryption scheme disclosed in that application involves the message sender and message receiver using the same trusted authority. In many practical applications, the message sender and message recipient will belong to different trusted-authority domains. Prior IBC solutions for such situations generally involve separate identity-based signature and encryption schemes with each scheme using the trusted authorities of both the message sender and receiver.

It is an object of the invention to provide a signcryption scheme where the message sender and message receiver belong to different trusted-authority domains.

SUMMARY OF THE INVENTION

According to one aspect of the present invention, there is provided an identifier-based signcryption method using bilinear maps, in which a first party associated with a first identifier string ID_(A) signcrypts data m intended for a second party associated with a second identifier string ID_(B), the first and second parties being respectively associated with first and second trusted authorities that have different respective public keys and different respective private keys s₁ and s₂; the method comprising:

-   -   the first trusted authority providing the first party with a         private-key element S_(A) based on the first identifier string         ID_(A) and the first trusted party's private key s₁, and     -   the first party signcrypting the data m using at least the         public keys of the first and second trusted authorities, its own         private-key element S_(A) and the second identifier string         ID_(B).

In one preferred embodiment, the public keys of the two trusted authorities have a common master element P as well as different derived elements R_(T1), R_(T2) formed by combining the selected element with their respective private keys. More particularly, in this preferred embodiment, the public key of the first trusted authority comprises elements P and R_(T1) where R_(T1)=s₁P, and the public key of the second trusted authority comprises the element P and an element R_(T2) where R_(T2)=s₂P; the private-key element S_(A) of the first party being formed as s₁Q_(A) where Q_(A) is an element formed from the first identifier string ID_(A), and the second party having an associated element Q_(B) formed from the second identifier string ID_(B), said elements being members of an algebraic group G₀ with at least the elements P, R_(T1) and R_(T2) being in a subgroup G₁ of G₀ where G₁ is of prime order l and in respect of which there exists a computable bilinear map p; the first party signcrypting the data m by a process comprising:

-   -   (a) signing m by computing:         X←rP         -   where r is randomly chosen in Z_(l)*;             h←H ₂(C ₁(at least X and m))         -   where H₂: {0,1}*→Z_(l) and C₁( ) is a deterministic             combination function,             J←(rR _(T1) +hS _(A))     -   (b) encrypting m and signature data by computing:         -   w as the bilinear mapping of elements Q_(B), and rR_(T2),             and             f←Enc(w,C ₂(at least J and m))             -   where Enc( ) is a symmetric-key encryption function                 using w as key, and C₂( ) is a reversible combination                 function;     -   (c) outputting ciphertext comprising X and f.

In a further preferred embodiment, the public keys of the two trusted authorities have different master elements P_(T1), P_(T2) as well as different derived elements R_(T1), R_(T2). More particularly, in this further preferred embodiment, the public key of the first trusted authority comprises an element P_(T1) and an element R_(T1) where R_(T1)=s₁P_(T1), and the public key of the second trusted authority comprises an element P_(T2) and an element R_(T2) where R_(T2)=s₂P_(T2); the private-key element S_(A) of the first party being formed as s₁Q_(A) where Q_(A) is an element formed from the first identifier string ID_(A), and the second party having an associated element Q_(B) formed from the second identifier string ID_(B), said elements being members of an algebraic group G₀ with at least the elements P_(T1), P_(T2), R_(T1) and R_(T2) being in a subgroup G₁ of G₀ where G₁ is of prime order l and in respect of which there exists a computable bilinear map p; the first party signcrypting the data m by a process comprising:

-   -   (a) signing m by computing:         X ₁ ←rP _(T1)         X ₂ ←rP _(T2)         -   where r is randomly chosen in Z_(l)*;             h←H ₂(C ₁(at least X ₁ , X ₂ and m))         -   where H₂: {0,1}*→Z_(l) and C₁( ) is a deterministic             combination function,             J←(rR _(T1) +hS _(A))     -   (b) encrypting m and signature data by computing:         -   w as the bilinear mapping of elements Q_(B) and rR_(T2), and             f←Enc(w,C ₂(at least J and m))         -   where Enc( ) is a symmetric-key encryption function using w             as key, and C₂( ) is a reversible combination function;     -   (c) outputting ciphertext comprising X₁, X₂ and f.

In these preferred embodiments, the signature step is based on a modified form of the signature algorithm used by the Boyen prior art signcryption scheme described above. The encryption step uses a more efficient algorithm to that of Boyen; in fact, analysis shows that the encryption step uses an algorithm similar to the “BasicIdent” encryption algorithm described in the above-mentioned paper by Boneh and Franklin. However, the way the encryption step is carried out with respect to the signature step now ensures that the signcryption method of the preferred embodiments is secure against a chosen ciphertext attack unlike the “BasicIdent” algorithm itself.

According to a second aspect of the present invention, there is provided an identifier-based signcryption method in which a second party, associated with an element Q_(B) formed from a second identifier string ID_(B), decrypts and verifies received ciphertext <X′, f′> that is purportedly a signcryption of subject data m by a first party, associated with an element Q_(A) formed from a first identifier string ID_(A); the first party being associated with a first trusted authority that has a public key comprising elements P and R_(T1) where R_(T1)=s₁P, and the second party being associated with a second trusted authority that has a public key comprising the element P and an element R_(T2) where R_(T2)=s₂P, said elements being members of an algebraic group G₀ with at least the elements P, R_(T1) and R_(T2) being in a subgroup G₁ of G₀ where G₁ is of prime order l and in respect of which there exists a computable bilinear map p; the method comprising the second party:

-   -   (a) decrypting the received ciphertext by computing:         w′ as a bilinear mapping of elements S _(B) and X′         -   where S_(B)=s₂Q_(B) is a private key supplied by the second             trusted authority and s₂ is a secret key held by that             trusted authority;             Dec(w′,f′)         -   where Dec( ) is a symmetric-key decryption function using w′             as key,         -   with at least quantities J′ and m′ being recovered from the             result;     -   (b) verifying that the ciphertext is from the first party by         computing:         Q _(A) ′←H ₁(ID _(A)′)         -   where H₁( ) is a hash function;             h′←H ₂(C ₁(at least: X′ and m′))         -   where H₂: {0,1}*→Z_(l) and C₁( ) is a deterministic             combination function, and then checking whether:             p(J′,P)=p(R _(T1) ,X′+h′Q _(A)′)         -   where R_(T1)=s₁P and is formed by the first trusted             authority, and s₁ is a secret key held by that trusted             authority.

According to a third aspect of the present invention, there is provided an identifier-based signcryption method in which a second party, associated with an element Q_(B) formed from a second identifier string ID_(B), decrypts and verifies received ciphertext <X′₁, X′₂, f′> that is purportedly a signcryption of subject data m by a first party, associated with an element Q_(A) formed from a first identifier string ID_(A); the first party being associated with a first trusted authority that has a public key comprising elements P_(T1) and R_(T1) where R_(T1)=s₁P_(T1), and the second party being associated with a second trusted authority that has a public key comprising an element P_(T2) and an element R_(T2) where R_(T2)=s₂P_(T2), said elements being members of an algebraic group G₀ with at least the elements P_(T1), P_(T2), R_(T1) and R_(T2) being in a subgroup G₁ of G₀ where G₁ is of prime order l and in respect of which there exists a computable bilinear map p; the method comprising the second party:

-   -   (a) decrypting the received ciphertext by computing:         w′ as a bilinear mapping of elements S _(B) and X′ ₂         -   where S_(B)=s₂Q_(B) is a private key supplied by the second             trusted authority and s₂ is a secret key held by that             trusted authority;             Dec(w′,f′)         -   where Dec( ) is a symmetric-key decryption function using w′             as key,     -   with at least quantities J′ and m′ being recovered from the         result;     -   (b) verifying that the ciphertext is from the first party by         computing:         Q _(A) ′∂H ₁(ID _(A)′)         -   where H₁( ) is a hash function;             h′←H ₂(C ₁(at least: X′ ₁ , X′ ₂ and m′))         -   where H₂: {0,1}*→Z_(l) and C₁( ) is a deterministic             combination function, and then carrying out at least a check             as to whether:             p(P _(T1) ,J′)=p(R _(T1) ,X′ ₁ +h′Q′ _(A)).         -   where R_(T1)=s₁P and is formed by the first trusted             authority, and s₁ is a secret key held by that trusted             authority.

It will be appreciated by persons skilled in the art that the pairings-based checks carried by the second party in the methods of the second and third aspects of the present invention, can be expressed in a variety of different forms due to the bilinear nature of the mapping p with each form of expression having a corresponding computational implementation. All implementations of the equivalent expressions effectively perform the same check and accordingly the foregoing statement of the invention is not to be read as restricted by the form of expression used to specify the check.

The present invention also encompasses apparatus, systems and computer program products embodying the methods of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the invention will now be described, by way of non-limiting example, with reference to the accompanying diagrammatic drawings, in which:

FIG. 1 is a diagram illustrating component algorithms of an identity-based signcryption scheme according to a prior-art proposal;

FIG. 2 is a diagram of a first system embodying the present invention; and

FIG. 3 is a diagram of a second system embodying the present invention; and

BEST MODE OF CARRYING OUT THE INVENTION

In the following description, G₁, G₂ are two groups of large prime order l for which there exists a non-degenerate computable bilinear map p: G₁×G₁→G₂ whereby for all P₁, P₂εG₁ and all integers a and b: p(aP ₁ ,bP ₂)=p(P ₁ ,P ₂)^(ab).

The construction for such groups normally (though not necessarily) uses supersingular elliptic curves over finite fields F_(q) (where q is a prime power) and the use of such a curve will be assumed here (the curve y²=x³+1 being used as an example). The corresponding bilinear map is a modification of the Weil/Tate pairing. Note that G₁ is a [l]-torsion group satisfying [l]P=O for all PεG₁ where O is the infinite element, l is a large prime, and l*cofactor=number of points on curve in F_(q).

In addition, three hash functions H₁, H₂ and H₃ are used with co-domains G₁, Z*_(l) and {0,1}^(k) ⁰ ^(+k) ¹ ^(+n) respectively, that is: H ₁: {0,1}^(k) ¹ →G ₁ H ₂: {0,1}^(k) ⁰ ^(+n) →Z* _(l) H ₃ : G ₂→{0,1}^(k) ⁰ ^(+k) ¹ ^(+n)

-   -   where:         -   k₀ is the number of bits required to represent an element of             G₁;         -   k₁ is the number of bits required to represent an identity;             and         -   n is the number of bits of a message to be signed and             encrypted.

In the following, the notation uε_(R) V is used to denote u being selected uniformly at random from the set V.

Two embodiments of the invention are described below in which a party A is arranged to sign and encrypt a message m and send it to a second party B for decryption and verification of the signature. Both embodiments employ signcryption schemes in which the first party A uses a secret S_(A) that is securely provided by a first trusted authority T1 and is based on a public identity of party A and a secret of the first trusted authority, and the second party B uses a secret S_(B) that is securely provided by the second trusted authority and is based on a public identity of party B and a secret of the second trusted authority. In the first embodiment, both trusted authorities use the same master public point P on the same elliptic curve, in the second embodiment, the trusted authorities use different master public points, P_(T1) and P_(T2) respectively on the same elliptic curve.

The signcryption schemes of the first and second embodiments will be described below in terms of the six algorithms SETUP, EXTRACT, SIGN, ENCRYPT, DECRYPT, and VERIFY described above and depicted in FIG. 1, it being appreciated that other models for describing the signcryption schemes of the first and second embodiments are also possible.

For both the first embodiment (illustrated in FIG. 2) and the second embodiment (illustrated in FIG. 3) the four parties involved act through respective computing entities. Thus, the first party A acting through computing entity 40, the second party B acts through computing entity 42, the first trusted authority T1 acts through computing entity 44, and the second trusted authority T2 acts through computing entity 46. The computing entities 40, 42, 44 and 46 are typically based around program-controlled processors though some or all of the cryptographic functions may be implemented in dedicated hardware. The entities 40, 42, 44 and 46 inter-communicate, for example, via the internet or other computer network 48 though it is also possible that two, three or all four entities actually reside on the same computing platform; alternatively data can be transferred between the computing entities using portable storage media.

For convenience, the following description is given in terms of the parties A, B, T1 and T2, it being understood that these parties act through their respective computing entities.

The details of the first embodiment will next be considered.

Setup

The SETUP algorithm (block 50 in FIG. 2) comprises the following steps:

-   -   1. Establish public parameters G₁, G₂, l, q and the         cryptographic hashes H₁( ), H₂( ) and H₃( ).     -   2. Choose P such that <P>=G₁ that is, P is a generator for the         cyclic group G₁.     -   3. For each trusted authority T1 and T2, choose a secret s         uniformly at random from Z_(l)*; thus, T1 chooses its master         private key s₁ε_(R)Z*_(l), and T2 chooses its master private key         s₂ε_(R) Z*_(l),     -   4. For each trusted authority T1 and T2 compute a corresponding         derived public key element R←sP; thus T1 computes R_(T1)←s₁P and         T2 computes R_(T2←s) ₂P.

Steps 1 and 2 of the SETUP algorithm can be performed by one or other of the trusted authorities T1, T2 or by any other entity.

Extract

To extract the private key for party U with ID_(U)ε{0,1}^(k) ¹ , the trusted authority with which the user is associated executes the following EXTRACT algorithm (block 51 in FIG. 2):

-   -   1. Compute the public key for the party U; thus, for party A the         first trusted authority T1 computes Q_(A)←H₁(ID_(A)), and for         party B, the second trusted authority T2 computes         Q_(B)←H₁(ID_(B)).     -   2. Compute the secret key S_(U)←sQ_(U); thus, for the first         party A the first trusted authority T1 computes S_(A)←s₁Q_(A),         and for the second party B, the second trusted authority T2         computes S_(B)←s₂Q_(B).

The private keys for parties A and B are securely communicated to each party.

Sign

Party A with identity ID_(A) signs a message mε{0,1}^(n) using private key S_(A) corresponding to public key Q_(A)←s₁H₁(ID_(A)) by executing the steps of the following SIGN algorithm (block 52 in FIG. 2):

-   -   1. Chooses r ε_(R) Z*_(l)     -   2. Compute X←rP     -   3. Compute h←H₂(X, m)     -   4. Compute J←rR_(T1)+hS_(A)     -   5. Forward r and the signature σ=<X, J> to ENCRYPT         Encrypt

Party A with identity ID_(A) encrypts message m using the output of SIGN and the identity ID_(B) of the intended receiver by executing the steps of the following ENCRYPT algorithm (block 53 in FIG. 2):

-   -   1. Compute Q_(B)←H₁(ID_(B))     -   2. Compute w←p(Q_(B), rR_(T2))     -   3. Compute f←H₃(w)⊕(J∥ID_(A)∥m)         -   where ∥ represents concatenation and ⊕ the Exclusive OR             function.     -   4. Return ciphertext c: <X, f>

Party A then outputs the ciphertext c for receipt by party B. Party B receives ciphertext c′ which is purportedly is ciphertext provided by party A (that is, ciphertext c).

Decrypt

Party B with identity ID_(B) decrypts ciphertext c′: <X′, f′> using S_(B)←s₂H₁(ID_(B)) by executing the steps of the following DECRYPT algorithm (block 54 in FIG. 2):

-   -   1. Compute w′←p(S_(B), X′)     -   2. Compute: f′⊕H₃(w′) and, taking this to be the string:         J′∥ID_(A)′∥m′, recover from this string its constituent         components.     -   3. Return the message m′, the signature σ′=<X′, J′>, and the         identity ID_(A)′ of the purported sender.         Verify

Party B then verifies the signature <X′, J′> of party A on message m by executing the steps of the following VERIFY algorithm (block 55 in FIG. 2):

-   -   1. Compute Q′_(A)←H₁(ID′_(A))     -   2. Compute h′←H₂(X′, m′)     -   3. Check whether:         p(P,J′)=p(R _(T1) ,X′+h′Q′ _(A))         -   if this check is passed, return True, otherwise return             False.

The second embodiment will now be described with reference to FIG. 3, it being recalled that in the second embodiment, the trusted authorities use different master public points, P_(T1) and P_(T2) respectively on the same elliptic curve.

Setup

The SETUP algorithm (block 60 in FIG. 3) comprises the following steps:

-   -   1. Establish public parameters G₁, G₂, l, q and the         cryptographic hashes H₁( ), H₂( ) and H₃( ).     -   2. For each trusted authority T1 and T2, obtain P such that         <P>=G₁ that is, P is a generator for the cyclic group G₁, the         chosen points being such that they are not easily related; thus,         trusted authority T1 obtains P_(T1) and the trusted authority T2         obtains P_(T2).     -   3. For each trusted authority T1 and T2, choose a secret s         uniformly at random from Z_(l)*; thus, T1 chooses its master         private key s₁ε_(R)Z_(l)*, and T2 chooses its master private key         s₂ε_(R)Z_(l)*,     -   4. For each trusted authority T1 and T2, compute a corresponding         derived public key element R←sP; thus T1 computes         R_(T1)←s₁P_(T1) and T2 computes R_(T2)←s₂P_(T2).

Step 1 of the SETUP algorithm can be performed by either one of the trusted authorities T1, T2 or by any other entity. With regard to step 2, in order to avoid cryptographic weakness arising from the two points P_(T1) and P_(T2) chosen by the trusted authorities T1 and T2 being easily related, the points are preferably derived from respective identifier strings, ID_(T1) and ID_(T2) of the trusted authorities T1 and T2. Thus: P _(T1) =H ₁(ID _(T1)) and P _(T2) =H ₁(ID _(T2)).

Each trusted party can choose its identifier string at random or as any meaningful information of the trusted authority (for example, a contact address such as the URL of a website of the trusted authority) together with a definition of the identifier string formats that it accepts from users for private key generation in step 4. Providing such meaningful information in the string from which P_(T1)/P_(T2) can be generated by any party gives a convenient way of distributing such information.

Extract

To extract the private key for party U with ID_(U)ε{0,1}^(k) ¹ , the trusted authority with which the user is associated executes the following EXTRACT algorithm (block 61 in FIG. 3):

-   -   1. Compute the public key for the party U; thus, for party A the         first trusted authority T1 computes Q_(A)←H₁(ID_(A)), and for         party B, the second trusted authority T2 computes         Q_(B)←H₁(ID_(B)).     -   2. Compute the secret key S_(U)←sQ_(U); thus, for the first         party A the first trusted authority T1 computes S_(A)←s₁Q_(A),         and for the second party B, the second trusted authority T2         computes S_(B)←s₂Q_(B).

The private keys for parties A and B are securely communicated to each party.

Sign

Party A with identity ID_(A) signs a message mε{0,1}^(n) using private key S_(A) corresponding to public key Q_(A)←s₁H₁(ID_(A)) by executing the steps of the following SIGN algorithm (block 62 in FIG. 3):

-   -   1. Chooses r ε_(R) Z*_(l)     -   2. Compute X₁=rP_(T1) and X₂=rP_(T2)     -   3. Compute h=H₂(X₁, X₂, m)     -   4. Compute J←rR_(T1)+hS_(A)     -   5. Forward r and the signature σ=<X₁, X₂, J> to ENCRYPT         Encrypt

Party A with identity ID_(A) encrypts message m using the output of SIGN and the identity ID_(B) of the intended receiver by executing the steps of the following ENCRYPT algorithm (block 63 in FIG. 3):

-   -   1. Compute Q_(B)←H₁(ID_(B))     -   2. Compute w←p(Q_(B), rR_(T2))     -   3. Compute f←H₃(w)⊕(J∥ID_(A)∥m)     -   4. Return ciphertext c: <X₁, X₂, f>

Party A then outputs the ciphertext c for receipt by party B. Party B receives ciphertext c′ which is purportedly is ciphertext provided by party A (that is, ciphertext c).

Decrypt

Party B with identity ID_(B) decrypts ciphertext c′: <X′₁, X′₂, f> using S_(B)←s₂H₁(ID_(B)) by executing the steps of the following DECRYPT algorithm (block 64 in FIG. 3):

-   -   1. Compute w′←p(S_(B), X′₂)     -   2. Compute: f′⊕H₃(w′) and, taking this to be the string:         J′∥ID_(A)′∥m′, recover from this string its constituent         components.     -   3. Return the message m′, the signature σ′=<X′₁, X′₂, J′>, and         the identity ID_(A)′ of the purported sender.         Verify

Party B then verifies the signature <X′₁, X′₂, J′> of party A on message m by executing the steps of the following VERIFY algorithm (block 65 in FIG. 3):

-   -   1. Compute Q′_(A)←H₁(ID′_(A))     -   2. Compute h′←H₂(X′₁, X′₂, m′)     -   3. Check whether:         p(P _(T1) ,J′)=p(R _(T1) ,X′ ₁ +h′Q′ _(A)), and         p(X′ ₁ ,P _(T2))=p(P _(T1) ,X′ ₂)         -   if both checks are passed, return True, otherwise return             False.

Note that the second test of step 3 above is used to check if the signer and the encryptor are the same entity. If this issue is not of concern, this test can be ignored.

The signcryption schemes of FIGS. 2 and 3 offer the advantages of being suitable for situations where the message sender and receiver belong to different trusted-authority domains (which is the more general case), and are reasonably efficient compared with the prior solutions for such situations.

It will be appreciated that the generation of S_(A) by the trusted authority T1 will typically only be done after T1 had checked the entitlement of party A to the identity ID_(A); similarly the trusted authority T2 will generally only generate S_(B) after checking the entitlement of party B to the identity ID_(B) (it is noted that in many applications S_(B) will only be generated after party B has received the signcrypted message—in other words, it is not required that all steps of EXTRACT be carried out together before another of the algorithms is commenced).

It will be appreciated that many variants are possible to the above described embodiments of the invention. For example, in the ENCRYPT algorithm used in FIGS. 2 and 3 (blocks 53 and 63), the computation: f←H ₃(w)⊕(J∥ID _(A) ∥m) can be replaced by any symmetric-key encryption process Enc(w, J∥ID_(A)∥m) taking w as the encryption key for encrypting the string (J∥ID_(A)∥m); any deterministic processing carried out on w before it is used in the underlying encryption algorithm is taken to reside in Enc( ). In this case, in DECRYPT (blocks 54, 64) the corresponding computation: f′⊕H ₃(w′) is replaced by the corresponding symmetric-key decryption operation Dec(w′, J′∥ID_(A)′∥m′) using w′ as the key.

In the embodiments described above with reference to FIGS. 2 and 3, the ciphertext is anonymous in that the identity of the signer is not discernible except by party B; this is as a result of the identity ID_(A) of party A being concatenated with m and J for encryption. If anonymity is not required, then the identity ID_(A) of party A can be sent unencrypted as a separate element (any change to this identity before delivery to party B resulting in the verification step failing).

It will be appreciated that the order of concatenation of concatenated components does not matter provided this is known to both parties A and B. Indeed, these components can be combined in ways other than by concatenation. Thus, the concatenation carried out during signing and verification can be replaced by any deterministic combination function, whilst the concatenation carried out during encryption can be replaced by any combination function that is reversible (as the decryption process needs to reverse the combination done in the encryption process). It is also possible to include additional components into the set of components subject to combination.

It will be further appreciated that the message m can comprises any subject data including text, an image file, a sound file, an arbitrary string, etc.

In the foregoing description of embodiments of the invention it has been assumed that all the elements P (or P_(T1), P_(T2)), Q_(A) and Q_(B) (and their derivatives R (or R_(T1), R_(T2)), S_(A), S_(B)) are members of G₁ and that the bilinear map p has the form: p:G ₁ ×G ₁ →G ₂ with both the Weil and Tate pairings being suitable implementations of the map. In fact, it is also possible for one or both of the elements Q_(A), Q_(B) not to be restricted to G₁ provided they are in G₀; in this case, the bilinear map can be of the form: p:G ₁ ×G ₀ →G ₂ with the Tate pairing being a suitable implementation. Where it is Q_(B) that is unrestricted to G₁, then the order of the elements in the pairings used for determining w and w′ in the foregoing embodiments described with respect to FIGS. 2 and 3 should be reversed (so that the element constituted by, or based on, Q_(B) is the second element of the pairing). It will be appreciated that the co-domain of the hash function H₁( ) is G₀ where it is to be used to convert one or both of the identities ID_(A) and ID_(B) into elements in G₀ without the restriction of being in G₁. Different versions of H₁( ) can be provided where only one of Q_(A) and Q_(B) is unrestricted to G₀, one with a co-domain of G₁ and the other with a co-domain of G₀. For the FIG. 3 embodiment, where H₁( ) is used to form the elements P_(T1) and P_(T2), the version of H₁( ) used for this should have a co-domain of G₁. 

The invention claimed is:
 1. An identifier-based signcryption method using bilinear maps comprising: a first party associated with a first identifier string ID_(A) signcrypting data m intended for a second party associated with a second identifier string ID_(B), the first and second parties being respectively associated with first and second trusted authorities that have different respective public keys and different respective private keys s₁ and s₂; with a programmed computing entity in communication with a computer network, the first party receives from the first trusted authority a private-key element S_(A) based on the first identifier string ID_(A) and the first trusted party's private key s₁, and with the programmed computing entity in communication with the computer network, the first party signcrypts the data m using a hash function that accepts as input at least the public keys of the first and second trusted authorities, signcrypting the data m further using said first party's own private-key element S_(A) and the second identifier string ID_(B).
 2. A method according to claim 1, wherein the public key of the first trusted authority comprises elements P and R_(T1) where R_(T1)=s₁P, and the public key of the second trusted authority comprises the element P and an element R_(T2) where R_(T2)=s₂P; the private-key element S_(A) of the first party being formed as s₁Q_(A) where Q_(A) is an element formed from the first identifier string ID_(A), and the second party having an associated element Q_(B) formed from the second identifier string ID_(B), said elements being members of an algebraic group G₀ with at least the elements P, R_(T1) and R_(T2) being in a subgroup G₁ of G₀ where G₁ is of prime order l and in respect of which there exists a computable bilinear map p; the first party signcrypting the data m by a process comprising: (a) signing m by computing: X←rP where r is randomly chosen in Z_(l)*; h←H ₂(C ₁(at least X and m)) where H₂: {0,1}*→Z_(l) and C₁( ) is a deterministic combination function, J←(rR _(T1) +hS _(A)) (b) encrypting m and signature data by computing: w as the bilinear mapping of elements Q_(B), and rR_(T2), and f←Enc(w,C ₂(at least J and m)) where Enc( ) is a symmetric-key encryption function using w as key, and C₂( ) is a reversible combination function; (c) outputting ciphertext comprising X and f.
 3. A method according to claim 2, wherein in step (b) the set of quantities to which the combination function C₂( ) is applied comprises at least J, m and the identity ID_(A) of the first party, whereby this identity is encrypted in the ciphertext.
 4. A method according to claim 2, wherein in step (c) the identity ID_(A) of the first party is output in unencrypted form along with X and f.
 5. A method according to claim 2, wherein at least one of the functions C₁( ) and C₂( ) is a concatenation function.
 6. A method according to claim 2, wherein the symmetric-key encryption function Enc( ) effects at least the followings operations: forming a hash of the key w; forming an Exclusive-OR of the hash of w with the output of the combination function C₂( ).
 7. A method according to claim 2, wherein all said elements are in the subgroup G₁ and the bilinear map p is of the form: p:G ₁ ×G ₁ →G ₂ where G₂ is a subgroup of a multiplicative group of a finite field.
 8. A method according to claim 7, wherein the bilinear map is a Weil or Tate pairing.
 9. A method according to claim 2, wherein only the public key elements of the trusted authorities are restricted to the subgroup G₁ and the bilinear map p is of the form: p:G ₁ ×G ₀ →G ₂ where G₂ is a subgroup of a multiplicative group of a finite field.
 10. A method according to claim 9, wherein the bilinear map is a Tate pairing.
 11. A method according to claim 1, wherein the public key of the first trusted authority comprises an element P_(T1) and an element R_(T1) where R_(T1)=s₁P_(T1), and the public key of the second trusted authority comprises an element P_(T2) and an element R_(T2) where R_(T2)=s₂P_(T2); the private-key element S_(A) of the first party being formed as s₁Q_(A) where Q_(A) is an element formed from the first identifier string ID_(A), and the second party having an associated element Q_(B) formed from the second identifier string ID_(B), said elements being members of an algebraic group G₀ with at least the elements P_(T1), P_(T2), R_(T1) and R_(T2) being in a subgroup G₁ of G₀ where G₁ is of prime order/and in respect of which there exists a computable bilinear map p; the first party signcrypting the data m by a process comprising: (a) signing m by computing: X ₁ ←rP _(T1) X ₂ ←rP _(T2) where r is randomly chosen in Z_(l)*; h←H ₂(C ₁(at least X ₁ , X ₂ and m)) where H₂: {0,1}*→Z_(l) and C₁( ) is a deterministic combination function, J←(rR _(T1) +hS _(A)) (b) encrypting m and signature data by computing: w as the bilinear mapping of elements Q_(B) and rR_(T2), and f←Enc(w,C ₂(at least J and m)) where Enc( ) is a symmetric-key encryption function using w as key, and C₂( ) is a reversible combination function; (c) outputting ciphertext comprising X₁, X₂ and f.
 12. A method according to claim 11, wherein in step (b) the set of quantities to which the combination function C₂( ) is applied comprises at least J, m and the identity ID_(A) of the first party, whereby this identity is encrypted in the ciphertext.
 13. A method according to claim 11, wherein in step (c) the identity ID_(A) of the first party is output in unencrypted form along with X₁, X₂ and f.
 14. A method according to claim 11, wherein at least one of the functions C₁( ) and C₂( ) is a concatenation function.
 15. A method according to claim 11, wherein the symmetric-key encryption function Enc( ) effects at least the followings operations: forming a hash of the key w; forming an Exclusive-OR of the hash of w with the output of the combination function C₂( ).
 16. A method according to claim 11, wherein all said elements are in the subgroup G₁ and the bilinear map p is of the form: p:G ₁ ×G ₁ →G ₂ where G₂ is a subgroup of a multiplicative group of a finite field.
 17. A method according to claim 16, wherein the bilinear map is a Weil or Tate pairing.
 18. A method according to claim 11, wherein only the public key elements of the trusted authorities are restricted to the subgroup G₁ and the bilinear map p is of the form: p:G ₁ ×G ₀ →G ₂ where G₂ is a subgroup of a multiplicative group of a finite field.
 19. A method according to claim 18, wherein the bilinear map is a Tate pairing.
 20. Apparatus for use in a signcryption method in which a first party has an associated first identifier string ID_(A), a second party has an associated second identifier string ID_(B), a first trusted authority has a private key s₁ and a public key comprising elements P and R_(T1) where R_(T1)=s₁P, a second trusted authority has a private key s₂ and a public key comprising the element P and an element R_(T2) where R_(T2)=s₂P, the first trusted authority is arranged to form a private-key element S_(A) for the first party as s₁Q_(A) where Q_(A) is an element formed from the first identifier string ID_(A), and the second party has an associated element Q_(B) formed from the second identifier string ID_(B), said elements being members of an algebraic group G₀ with at least the elements P, R_(T1) and R_(T2) being in a subgroup G₁ of G₀ where G₁ is of prime order/and in respect of which there exists a computable bilinear map p; the apparatus comprising a computing entity programmed to signcrypt data m for the first party, said computing entity comprising: a signing arrangement arranged to sign m by computing: X←rP where r is randomly chosen in Z_(l)*; h←H ₂(C ₁(at least X and m)) where H₂: {0,1}*→Z_(l) and C₁( ) is a deterministic combination function, J←(rR _(T1) +hS _(A)) an encryption arrangement arranged to encrypt m and signature data by computing: w as the bilinear mapping of elements Q_(B), and rR_(T2), and f←Enc(w,C ₂(at least J and m)) where Enc( ) is a symmetric-key encryption function using w as key, and C₂( ) is a reversible combination function; an output arrangement for outputting ciphertext comprising X and f.
 21. Apparatus according to claim 20, wherein the encryption arrangement is arranged to apply the combination function C₂( ) to a set of quantities comprising at least J, m and the identity ID_(A) of the first party, whereby this identity is encrypted in the ciphertext.
 22. Apparatus for use in a signcryption method in which a first party has an associated first identifier string ID_(A), a second party has an associated second identifier string ID_(B), a first trusted authority has a private key s₁ and a public key comprising an element P_(T1) and an element R_(T1) where R_(T1)=s₁P_(T1), a second trusted authority has a private key s₂ and a public key comprising an element P_(T2) and an element R_(T2) where R_(T2)=s₂P_(T2), the first trusted authority is arranged to form a private-key element S_(A) for the first party as s₁Q_(A) where Q_(A) is an element formed from the first identifier string ID_(A), and the second party has an associated element Q_(B) formed from the second identifier string ID_(B), said elements being members of an algebraic group G₀ with at least the elements P_(T1), P_(T2), R_(T1) and R_(T2) being in a subgroup G₁ of G₀ where G₁ is of prime order/and in respect of which there exists a computable bilinear map p; comprising a computing entity programmed to signcrypt data m for the first party, said computing entity comprising: a signing arrangement arranged to sign m by computing: X ₁ ←rP _(T1) X ₂ ←rP _(T2) where r is randomly chosen in Z_(l)*; h←H ₂(C ₁(at least X ₁ , X ₂ and m)) where H₂: {0,1}*→Z_(l) and C₁( ) is a deterministic combination function, J←(rR _(T1) +hS _(A)) an encryption arrangement arranged to encrypt m and signature data by computing: w as the bilinear mapping of elements Q_(B) and rR_(T2), and f←Enc(w,C ₂(at least J and m)) where Enc( ) is a symmetric-key encryption function using w as key, and C₂( ) is a reversible combination function; an output arrangement for outputting ciphertext comprising X₁, X₂ and f.
 23. Apparatus according to claim 22, wherein the encryption arrangement is arranged to apply the combination function C₂( ) to a set of quantities comprising at least J, m and the identity ID_(A) of the first party, whereby this identity is encrypted in the ciphertext. 